We are using a PA 3020 PANOS 7.1.14.
We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.
Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).
We want split tunnelling except for when accessing <name>.okta.com.
We have our internal DNS server IP added for the GlobalProtect clients to use (forwarding configured to public DNS).
However, when connected to GlobalProtect <name>.okta.com will not resolve, "this site can't be reached", times out.
I've confirmed with a ping -a that the public IP it resolves to is in the list for access routes.
I've also tried adding adding an internal DNS zone for <name>.okta.com, but has not helped.
Wondering if anyone has any tips?
Solved! Go to Solution.
Yea, I think your are right, thank you. We do not have a security rule in place from VPN zone to Untrust zone. I assume because it was not necessary.
I just tried it, but still not working. I believe I need to add all the IPs in there, since I am now getting a page not found error (instead of time out).
Traffic to the Okta public IP is not even registering the traffic log at the moment, have not packet captured yet.
Not sure if the internal DNS zone I created for <name>.okta.com is needed or not, will try to find out.
Still testing, will update.
Just to ensure that you are actually getting all of the logs you might want to override the interzone default policy to log the traffic, as if you don't have a security policy allow it the denied traffic won't be logged by default.
You were right. I did not think to go add the VPN zone to the security rule to Untrust and Dynamic IP and Port NAT rule.
Resolved. Thanks again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!